Sunday, 29 January 2017

We
have 480 days to go before the General Data Protection Regulation is “in
force”.

And
then what?

That's
the question I’m being increasingly asked these days.

Does
it really mean that in 481 days, European privacy regulators will be heralding
the first megafine for non-compliance with one of the GDPR’s more obscure
requirements?

I
think not.

But
it will undoubtedly lead to greater unease amongst the audit committees of many
firms, particularly those in the (regulated) financial services sector, who
will note, from the data protection compliance reports that have been
commissioned, the difficulties that are being encountered in ensuring that
sufficient evidence is available to demonstrate how the
organisation complies with the GDPR.

Many
of the organisations I’m currently working with are still trying to understand
just what it is that they are supposed to be complying with. And
also, what standard of evidence is necessary to be generated,
just in case privacy regulators exercise their Article 30(4) right to request
it.

Each
professional consulting firm I’ve come across carries out data protection
audits / health checks in different ways. And, in assessing data controllers
through different privacy prisms, I’m confident that some organisations might
well “pass” a privacy review that was carried out by one consulting firm, yet
“fail” the review that was carried out by another firm. Why? Because the other
firm had decided to focus on some obscure GDPR issues that the original firm
didn’t think were particularly relevant.

Does
this matter?

Well,
it would if it led to the organisation performing poorly in a review that was
carried out by a national privacy regulator.

So,
what should be done to reduce the likelihood of such an event?

In
the UK, the ICO has provided organisations with a great deal of guidance as to
precisely what controls they would expect to see in place and operating
effectively. I don’t see this degree of guidance readily available in other EU
countries. I have not had an opportunity to review all the webpages of each
national data protection supervisory authority, but my cursory checks have
certainly not unearthed the level of detail that has been published by the ICO.
Perhaps this will be a task for the Data Protection Board.

But,
in the short term, what new areas of non-compliance might European privacy
regulators focus on?

If
I were a privacy regulator, I would focus on records management and, in
particular, the greatly ignored area of records retention. So
many organisations find it hard to develop, let alone implement, comprehensive
records retention policies. Are they in for an unwelcome surprise? The GDPR is
(apparently) going to require data controllers to be more transparent about
their records retention policies.

The
potential fine for not informing individuals, as their personal data is being
collected, about retention periods is of course significant. But do (even)
regulators take the issue of data retention that seriously? Outside the
communications sector, how much interest, or formal enforcement action, has
ever been taken against data controllers with regard to breaches of the Fifth
Data Protection Principle?

I’m
not aware of many cases. Over retention may have been an aggravating factor
when the ICO considered the level of a fine for some incidents involving
security breaches, but there are very few recorded cases of enforcement action
being taken just because a data controller retained data for longer than the
regulator considered necessary.

Perhaps
this will change.

But,
since most data controllers have paid no more than lip service to the difficult
issue of the period for which the personal data will be stored, I doubt that
many currently feel that the ICO’s attitude will change significantly in 480
days time.

Sunday, 8 January 2017

I’m
increasingly asked whether particular firms actually need to appoint a Data
Protection Officer in order to comply with the requirements of the GDPR. Given
that the potential fine for non-compliance (with Article 37) is €10 million
Euros or up to 2% of the total worldwide annual turnover, companies quite
understandably don't want to get such a basic issue wrong. Many firms that are
basically B2B firms, who mainly process personal data for HR purposes, don't want
to goldplate their privacy compliance programmes (to the extent they have any)
by taking unnecessary action.

The
Article 29 Working Party published an opinion on this subject last December. To
be frank, it’s only somewhat helpful.

With
regard to the private sector, firms that - as a core activity - monitor
individuals systematically and on a large scale, or that process special
categories of personal data on a large scale, must appoint a DPO.

The meaning of “core
activity” has been set out in Recital 97. This relates to ‘primary activities
and do not relate to the processing of personal data as ancillary activities’.
The A29WP opines that “all organisations carry out certain activities, for
example, paying their employees or having standard IT support activities. These
are necessary support functions for the organisation’s core activity or main
business. Even though these activities are necessary or essential, they are
usually considered ancillary functions rather than the core activity.”

So, it would appear that the
GDPR does not require firms that simply process personal data for HR purposes
to appoint a DPO.

But what about, say, the
customer data that's processed by firms – particularly by those in the B2B
sector? How much (personal) customer data needs to be processed before the
threshold for appointing a DPO is reached?

To answer this question, I’ve
looked at the A29WP’s guidance on the meaning of the term “large scale”. Firms
that don't process such data on a large scale don’t need to appoint a DPO. Unfortunately,
the guidance (and the GDPR) is sketchy on what the term actually means.

Recital 91 explains, in the
context of Data Protection Impact Assessments, that “large-scale processing
operations”include those “which
aim to process a considerable amount of personal data at regional, national or
supranational level and which could affect a large number of data subjects and
which are likely to result in a high risk’ to individuals. On the other hand,
the recital specifically provides that ‘the processing of personal data should
not be considered to be on a large scale if the processing concerns personal
data from patients or clients by an individual physician, other health care
professional or lawyer”.

So, the test appears to focus on the
size of the firm, as well as the amount of personal data that is being
processed. Accordingly, some types of SMEs – the smaller ones - will not be required to
appoint a DPO. This is important, as SMEs account for more than 99% of all UK
businesses.

Unfortunately,
there is one very large fundamental problem with the SME sector.That problem is that even within the UK
government, there is no single definition of what a small or a medium
enterprise is.

According
to The Company Warehouse, for the purpose of Research and Development Tax
Relief, HMRC defines an SME as a business with not more than 500 employees and
an annual turnover not exceeding £100 million.

However,
the rest of the UK government does not use this definition.

For
the purposes of collecting statistics, the Department of Business, Innovation
& Skills defines SMEs as companies with less than 250 employees.

For
accounting purposes, Companies House defines a small business as employing less
than 50 people and a turnover under £6.5 million and a medium business as less
than 250 employees and a turnover under £25.9 million.

To
further complicate things other parts of the UK government use the EU
definition of an SME:

Micro
Business = less than 10 employees & turnover under £2 million

Small
Business = less than 50 employees & turnover under £10 million

Medium
Business = Less than 250 employees & turnover under £50 million

So
depending on which definition you use, an SME could have anywhere between 50
and 500 employees and have a turnover between £6.5 million and £50 million.

One
way to encourage SMEs to comply with the GDPR must involve coming up with an
easier definition of when they must appoint a Data Protection Officer.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.